VLC reveals the dark underbelly of the Android app signature

The security on Android and more specifically the signature of the applications it's far from all pretty and rosy. You may know it, our good old man VLChaving some problems updating the android app on Play Store Recently.

So why this blockage? Well quite simply because Google decided to make use of it Application packages for all applications that offer TV functions. So far, no problem. Except that this new format requires it to be provided private signing key on Google. And this is simply impossible for the VLC team!

Giving your private key to a third party is like giving your apartment keys to your neighbor. This is the basis of security: what is private must remain private. Otherwise, you might as well leave your door wide open to “Help Yourself”! 😅

Since the beginning of Android, every app has to be installed via a file APK. This file contains everything you need: code, resources, data… And to verify that an APK is authentic, it must be signed with private key generated by the developer. Anyone can then verify the public key that was used to sign the file.

The advantage of this system is that it guarantees the integrity of the application. If the developer loses their private key or password, you can't publish updates because the new signature doesn't match. And if he gives his key to someone else, that person will be able to sign their own versions that will be considered legitimate. Do you see the problem now?

With App Bundles, we are moving to a dual signature system where a download key (upload key) allows the Play Store to verify that whoever is sending the file is legitimate. So far so good. But where signing key (release key), must be owned by Google! In other words, the Play Store signs the app instead of the developer. Therefore, this private key is requested by Google from VLC today.

Google has tried to take steps to mitigate the problem such as double release which allows recent devices (Android 11+) to install a different signed update if proof of the key exchange is provided. But for apps like VLC which also supports old devices and TV, it doesn't work.

As a result, the VLC team is faced with a difficult choice:

  1. Give your private key to Google and continue publishing as normal. Profit: none. Risk: Google has full control over app updates and security. Suffice it to say that for them it is not.
  2. Remove TV support from APKs published on the Play Store. Advantage: you don't need to provide your private key for recent devices. Downside: TV support is no longer available for older devices running Android 10 and up. Not very well.

  3. Ignore full app bundles. Advantage: none. Downside: would make the app incompatible with 30% of current users. Not even in dreams!

In short, as you will have understood, the VLC team is at a standstill and that's why no update has been released in the last few months on the Play Store.

And it's not just a matter of principle. The Play Store is not the only store on Android. VLC is also available on the official website, Amazon AppStore, Huawei AppGallery… So giving your key to Google would compromise the whole release chain.

Unfortunately, without changes from Google to these new requirements, there is no point in continuing to offer TV support to older Android devices through the Play Store.

It's annoying for developers who are tied hand and foot, but it's also worrying for us users. When the world's largest app store starts requiring developers' private keys, we can reasonably ask questions about the concept of security and privacy.

Hopefully Google will listen to the criticism and backtrack on this. In the meantime, all you have to do is support developers like VLC who continue to stand up to the hacker and continue to prioritize the safety of their users above all else.

If you're interested, you can follow the whole thing in detail in this fascinating article (yes, I swear): VLC for Android updates on the Play Store

Leave a Reply

Your email address will not be published. Required fields are marked *